Encryption Metadata Serialization

Each repository implementation class leverages standard cipher operations to perform encryption and decryption. In order to support AES, the encryption process writes metadata associated with each encryption operation. Encryption protocol version 1 uses Java Object serialization to write objects containing the encryption Key Identifier, the cipher Initialization Vector, and other required properties. Serialized objects include the following required properties:

Property Name Property Type Description

keyId

String

Encryption key identifier

ivBytes

byte[]

Cipher initialization vector

algorithm

String

Cipher algorithm

version

String

Encryption protocol version

cipherByteLength

int

Length of enciphered record

Metadata serialization uses the standard java.io.ObjectOutputStream.writeObject() method to write objects to a stream that can be converted to a byte array. The deserialization process uses a custom extension of the java.io.ObjectInputStream to read objects regardless of the original class name associated with the record. This approach requires the presence of the standard metadata properties, but provides a compatibility layer that avoids linking the implementation to a specific Java class.

The initial implementation of encrypted repositories used different byte array markers when writing metadata. Each repository implementation uses the following byte array markers before writing a serialized metadata record:

Repository Type Byte Array

Content Repository

byte[]{0x00, 0x00}

FlowFile Repository

byte[]{}

Provenance Repository

byte[]{0x01}